CRI-O v1.34.0

CRI-O v1.34.0

The release notes have been generated for the commit range v1.33.0…259e23f on Wed, 20 Aug 2025 07:47:13 UTC.

Downloads

Download one of our static release bundles via our Google Cloud Bucket:

To verify the artifact signatures via cosign, run:

> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.259e23fd4353e67b59b33a0457202210f40322ec.tar.gz \
    --certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository cri-o/packaging \
    --certificate-github-workflow-ref refs/heads/main \
    --signature cri-o.amd64.259e23fd4353e67b59b33a0457202210f40322ec.tar.gz.sig \
    --certificate cri-o.amd64.259e23fd4353e67b59b33a0457202210f40322ec.tar.gz.cert

To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:

> tar xfz cri-o.amd64.259e23fd4353e67b59b33a0457202210f40322ec.tar.gz
> bom validate -e cri-o.amd64.259e23fd4353e67b59b33a0457202210f40322ec.tar.gz.spdx -d cri-o

Changelog since v1.33.0

Changes by Kind

Dependency-Change

Updated pause image to 3.10.1. (#9339, @saschagrunert)

Other

Log additional container information when stopping container. (#9302, @bitoku)

Deprecation

Deprecate insecure_registries config. (#9278, @bitoku)

API Change

Add HostNetwork field to the /info endpoint to inform cadvisor whether a container is in the host network or not. (#9411, @haircommander)

Feature

Added HugeTLB usage (container_hugetlb_usage_bytes) and maxUsage (container_hugetlb_max_usage_bytes) metrics. (#9257, @gavinkflam)
Added exec_cpu_affinity type which can specify cpu where exec command runs. (#9286, @bitoku)
Added container processes (container_processes) metric. (#9366, @gavinkflam)
Added feature to track conmon processes and emit containers_stopped_monitor_count{name=”$ctr_name”} metric when it’s stopped. (#9205, @bitoku)
Added feature to track conmon-rs processes and emit containers_stopped_monitor_count{name=”$ctr_name”} metric when it’s stopped. (#9348, @bitoku)
Added support for conmon-rs streaming server on Exec and Attach. To enable it, set stream_websockets = true as part of the runtime handler configuration. (#9289, @saschagrunert)
Early pre-validate the configured pod runtime (conmon-rs) on config validation. (#9324, @saschagrunert)

Documentation

Fixed typos in CLI and error messages.
Deprecated CONTAINER_INCLUDED_POD_METRCIS CLI environment variable in favor of CONTAINER_INCLUDED_POD_METRICS. (#9299, @saschagrunert)
Updated tracing docs to use the latest jaeger image as well as simplify the configuration. (#9342, @saschagrunert)

Bug or Regression

Fix a bug where CRI-O did not respect cases where the kubelet instructed it to unmask /proc for containers (#9285, @haircommander)
Fix a potential deadlock when an infra container is taking a long time to exit and the sandbox’s readiness is blocked on the infra container’s opLock (#9188, @haircommander)
Fix terminal resize race condition (#9246, @sohankunkerkar)
Fix the bug that pod can’t be terminated when the process is uninterruptible sleep for a while. (#9256, @bitoku)
Fix the bug where it continues to emit a metric after it confirms the conmon is stopped once (#9333, @bitoku)
Fixed a bug which caused CDI injection by NRI plugins to not being honored. NRI plugins are now able to inject CDI devices into containers. (#9128, @klihub)
Fixed segmentation fault when trying to create a lot of pods at a time. (#9272, @bitoku)
Fixes a crash introduced in 1.33.0 when cleaning up a pod that uses HostPorts on a system that has either just iptables (but not nftables) or just nftables (but not iptables). (#9222, @danwinship)
Handle missing network namespace gracefully during networkStop (#9301, @sohankunkerkar)
Server: add real-time memory validation for limit updates (#9385, @sohankunkerkar)
Server: delay CDI device injection, to ensure that CDI Spec edits take precedence over image defaults and the Pod Spec. (#9292, @klihub)
Server: ensure CNI teardown prevents IP leaks with missing netns (#9372, @sohankunkerkar)

Dependencies

Added

github.com/alibabacloud-go/tea-utils/v2: v2.0.7
github.com/cenkalti/backoff/v5: v5.0.2
github.com/go-piv/piv-go/v2: v2.3.0
github.com/go-viper/mapstructure/v2: v2.3.0
github.com/google/go-github/v72: v72.0.0
github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus: v1.0.1
github.com/grpc-ecosystem/go-grpc-middleware/v2: v2.3.0
github.com/moby/sys/atomicwriter: v0.1.0
github.com/olekukonko/errors: v1.1.0
github.com/olekukonko/ll: v0.0.9
github.com/olekukonko/ts: 78ecb04
github.com/redis/go-redis/extra/rediscmd/v9: v9.5.3
github.com/redis/go-redis/extra/redisotel/v9: v9.5.3
gitlab.com/gitlab-org/api/client-go: v0.127.0
go.etcd.io/raft/v3: v3.6.0
go.yaml.in/yaml/v2: v2.4.2
go.yaml.in/yaml/v3: v3.0.4
sigs.k8s.io/structured-merge-diff/v6: v6.2.0

Changed

capnproto.org/go/capnp/v3: v3.0.1-alpha.2 → v3.1.0-alpha.1
cel.dev/expr: v0.20.0 → v0.24.0
cloud.google.com/go/auth: v0.15.0 → v0.16.2
cloud.google.com/go/compute/metadata: v0.6.0 → v0.7.0
cloud.google.com/go/iam: v1.4.1 → v1.4.0
cloud.google.com/go/kms: v1.21.1 → v1.21.0
cloud.google.com/go/longrunning: v0.6.5 → v0.6.4
cuelabs.dev/go/oci/ociregistry: a39bec0 → b27552d
cuelang.org/go: v0.9.2 → v0.12.1
dario.cat/mergo: v1.0.1 → v1.0.2
github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider: v0.14.0 → v0.16.1
github.com/Azure/azure-sdk-for-go/sdk/azcore: v1.17.1 → v1.17.0
github.com/Azure/azure-sdk-for-go/sdk/azidentity: v1.8.2 → v1.8.0
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys: v1.3.1 → v1.3.0
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal: v1.1.1 → v1.1.0
github.com/Azure/go-autorest/autorest/adal: v0.9.23 → v0.9.24
github.com/Azure/go-autorest/autorest/azure/auth: v0.5.12 → v0.5.13
github.com/Azure/go-autorest/autorest/azure/cli: v0.4.6 → v0.4.7
github.com/Azure/go-autorest/autorest/date: v0.3.0 → v0.3.1
github.com/Azure/go-autorest/autorest: v0.11.29 → v0.11.30
github.com/Azure/go-autorest/logger: v0.2.1 → v0.2.2
github.com/Azure/go-autorest/tracing: v0.6.0 → v0.6.1
github.com/AzureAD/microsoft-authentication-library-for-go: v1.3.3 → v1.3.1
github.com/CloudNativeAI/model-spec: v0.0.4 → v0.0.6
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp: v1.26.0 → v1.27.0
github.com/Microsoft/cosesign1go: v1.2.0 → v1.4.0
github.com/Microsoft/hcsshim: v0.12.9 → v0.13.0
github.com/agnivade/levenshtein: v1.1.1 → v1.2.1
github.com/alibabacloud-go/alibabacloud-gateway-spi: v0.0.4 → v0.0.5
github.com/alibabacloud-go/debug: v1.0.0 → v1.0.1
github.com/alibabacloud-go/openapi-util: v0.1.0 → v0.1.1
github.com/alibabacloud-go/tea: v1.2.1 → v1.3.2
github.com/aliyun/credentials-go: v1.3.2 → v1.4.3
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream: v1.6.3 → v1.6.6
github.com/aws/aws-sdk-go-v2/config: v1.29.10 → v1.29.16
github.com/aws/aws-sdk-go-v2/credentials: v1.17.63 → v1.17.69
github.com/aws/aws-sdk-go-v2/feature/ec2/imds: v1.16.30 → v1.16.31
github.com/aws/aws-sdk-go-v2/internal/configsources: v1.3.34 → v1.3.35
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2: v2.6.34 → v2.6.35
github.com/aws/aws-sdk-go-v2/internal/v4a: v1.3.15 → v1.3.21
github.com/aws/aws-sdk-go-v2/service/ecr: v1.20.2 → v1.42.0
github.com/aws/aws-sdk-go-v2/service/ecrpublic: v1.18.2 → v1.32.0
github.com/aws/aws-sdk-go-v2/service/internal/checksum: v1.3.17 → v1.4.2
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url: v1.12.15 → v1.12.16
github.com/aws/aws-sdk-go-v2/service/internal/s3shared: v1.17.15 → v1.18.2
github.com/aws/aws-sdk-go-v2/service/kms: v1.38.1 → v1.37.8
github.com/aws/aws-sdk-go-v2/service/s3: v1.58.3 → v1.65.3
github.com/aws/aws-sdk-go-v2/service/sso: v1.25.1 → v1.25.4
github.com/aws/aws-sdk-go-v2/service/ssooidc: v1.29.2 → v1.30.2
github.com/aws/aws-sdk-go-v2/service/sts: v1.33.17 → v1.33.21
github.com/aws/aws-sdk-go-v2: v1.36.3 → v1.36.4
github.com/aws/aws-sdk-go: v1.55.6 → v1.55.5
github.com/aws/smithy-go: v1.22.2 → v1.22.3
github.com/awslabs/amazon-ecr-credential-helper/ecr-login: 8841054 → v0.9.1
github.com/buildkite/agent/v3: v3.81.0 → v3.95.1
github.com/buildkite/go-pipeline: v0.13.1 → v0.13.3
github.com/buildkite/interpolate: v0.1.3 → v0.1.5
github.com/buildkite/roko: v1.2.0 → v1.3.1
github.com/cloudflare/circl: v1.3.7 → v1.6.1
github.com/cncf/xds/go: 2f00578 → 2ac532f
github.com/containerd/containerd: v1.7.27 → v1.7.28
github.com/containers/common: v0.63.0 → v0.64.1
github.com/containers/conmon-rs: v0.6.6 → v0.7.1
github.com/containers/image/v5: v5.35.0 → v5.36.1
github.com/containers/storage: v1.58.0 → v1.59.1
github.com/coreos/go-oidc/v3: v3.13.0 → v3.14.1
github.com/cpuguy83/go-md2man/v2: v2.0.6 → v2.0.7
github.com/docker/cli: v28.0.4+incompatible → v28.3.2+incompatible
github.com/docker/docker: v28.0.4+incompatible → v28.3.3+incompatible
github.com/eggsampler/acme/v3: v3.6.0 → 0466a02
github.com/elazarl/goproxy: v1.4.0 → v1.7.2
github.com/emicklei/go-restful/v3: v3.11.0 → v3.12.2
github.com/emicklei/proto: v1.12.1 → v1.14.0
github.com/fatih/color: v1.15.0 → v1.16.0
github.com/fxamacker/cbor/v2: v2.7.0 → v2.8.0
github.com/go-chi/chi/v5: v5.2.1 → v5.2.2
github.com/go-git/go-git/v5: v5.13.2 → v5.16.2
github.com/go-jose/go-jose/v3: v3.0.3 → v3.0.4
github.com/go-logr/logr: v1.4.2 → v1.4.3
github.com/go-sql-driver/mysql: v1.9.1 → v1.5.0
github.com/golang/glog: v1.2.4 → v1.2.5
github.com/golang/mock: v1.6.0 → v1.1.1
github.com/google/cel-go: v0.23.2 → v0.25.0
github.com/google/gnostic-models: v0.6.9 → v0.7.0
github.com/google/go-containerregistry: v0.20.3 → v0.20.6
github.com/googleapis/gax-go/v2: v2.14.1 → v2.14.2
github.com/grpc-ecosystem/grpc-gateway/v2: v2.26.1 → v2.27.1
github.com/hashicorp/go-retryablehttp: v0.7.7 → v0.7.8
github.com/hashicorp/hcl: 5 → 7
github.com/hashicorp/vault/api: v1.16.0 → v1.15.0
github.com/in-toto/attestation: v1.1.0 → v1.1.1
github.com/intel/goresctrl: v0.8.0 → v0.9.0
github.com/jedisct1/go-minisign: 661be99 → d2f9f49
github.com/jellydator/ttlcache/v3: v3.3.0 → v3.4.0
github.com/jonboulle/clockwork: v0.4.0 → v0.5.0
github.com/letsencrypt/borp: 6cc6ce5 → a78493c
github.com/letsencrypt/boulder: de9c061 → 28b49a8
github.com/mattn/go-isatty: v0.0.17 → v0.0.20
github.com/mattn/go-sqlite3: v1.14.27 → v1.14.28
github.com/maxbrunsfeld/counterfeiter/v6: v6.11.2 → v6.11.3
github.com/miekg/dns: v1.1.58 → v1.1.61
github.com/mitchellh/mapstructure: v1.5.0 → 8508981
github.com/modern-go/reflect2: v1.0.2 → 35a7c28
github.com/montanaflynn/stats: 1bf9dbc → v0.7.1
github.com/olekukonko/tablewriter: v0.0.5 → v1.0.9
github.com/onsi/gomega: v1.37.0 → v1.38.0
github.com/open-policy-agent/opa: v0.68.0 → v1.4.0
github.com/opencontainers/cgroups: v0.0.2 → v0.0.4
github.com/opencontainers/runc: v1.2.6 → v1.3.0
github.com/opencontainers/runtime-tools: 260e151 → 0ea5ed0
github.com/pelletier/go-toml/v2: v2.2.2 → v2.2.3
github.com/prometheus/client_golang: v1.22.0 → v1.23.0
github.com/prometheus/client_model: v0.6.1 → v0.6.2
github.com/prometheus/common: v0.62.0 → v0.65.0
github.com/prometheus/procfs: v0.15.1 → v0.16.1
github.com/protocolbuffers/txtpbfmt: 084445f → 1ee4910
github.com/redis/go-redis/v9: v9.7.3 → v9.5.3
github.com/rogpeppe/go-internal: v1.13.1 → v1.14.1
github.com/sagikazarmark/locafero: v0.4.0 → v0.7.0
github.com/santhosh-tekuri/jsonschema/v6: v6.0.1 → v6.0.2
github.com/seccomp/libseccomp-golang: v0.11.0 → v0.11.1
github.com/sigstore/cosign/v2: v2.4.1 → v2.5.0
github.com/sigstore/protobuf-specs: v0.4.1 → v0.5.0
github.com/sigstore/rekor: v1.3.10 → v1.4.0
github.com/sigstore/sigstore-go: v0.6.1 → v0.7.1
github.com/sigstore/sigstore/pkg/signature/kms/aws: v1.9.1 → v1.8.12
github.com/sigstore/sigstore/pkg/signature/kms/azure: v1.9.1 → v1.8.12
github.com/sigstore/sigstore/pkg/signature/kms/gcp: v1.9.1 → v1.8.12
github.com/sigstore/sigstore/pkg/signature/kms/hashivault: v1.9.1 → v1.8.12
github.com/sigstore/sigstore: v1.9.3 → v1.9.5
github.com/sigstore/timestamp-authority: v1.2.2 → v1.2.5
github.com/spf13/afero: v1.11.0 → v1.12.0
github.com/spf13/cast: v1.7.0 → v1.7.1
github.com/spf13/pflag: v1.0.6 → v1.0.7
github.com/spf13/viper: v1.19.0 → v1.20.1
github.com/tchap/go-patricia/v2: v2.3.2 → v2.3.3
github.com/theupdateframework/go-tuf/v2: v2.0.1 → v2.0.2
github.com/tink-crypto/tink-go/v2: v2.3.0 → v2.4.0
github.com/urfave/cli/v2: v2.27.6 → v2.27.7
github.com/vbauerster/mpb/v8: v8.9.3 → v8.10.2
github.com/veraison/go-cose: v1.3.0 → v1.1.0
github.com/vishvananda/netlink: 0e7078e → v1.3.1
github.com/weppos/publicsuffix-go: 5f1d033 → a8ed110
github.com/youmark/pkcs8: 1be2e3e → a2c0da2
github.com/zmap/zlint/v3: v3.6.0 → v3.6.4
go.etcd.io/bbolt: v1.4.0 → v1.4.2
go.etcd.io/etcd/api/v3: v3.5.21 → v3.6.1
go.etcd.io/etcd/client/pkg/v3: v3.5.21 → v3.6.1
go.etcd.io/etcd/client/v3: v3.5.21 → v3.6.1
go.etcd.io/etcd/pkg/v3: v3.5.21 → v3.6.1
go.etcd.io/etcd/server/v3: v3.5.21 → v3.6.1
go.mongodb.org/mongo-driver: v1.14.0 → v1.17.3
go.opentelemetry.io/contrib/detectors/gcp: v1.34.0 → v1.36.0
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: v0.60.0 → v0.61.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.59.0 → v0.61.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc: v1.35.0 → v1.37.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp: v1.33.0 → v1.35.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace: v1.35.0 → v1.37.0
go.opentelemetry.io/otel/metric: v1.35.0 → v1.37.0
go.opentelemetry.io/otel/sdk/metric: v1.34.0 → v1.36.0
go.opentelemetry.io/otel/sdk: v1.35.0 → v1.37.0
go.opentelemetry.io/otel/trace: v1.35.0 → v1.37.0
go.opentelemetry.io/otel: v1.35.0 → v1.37.0
go.opentelemetry.io/proto/otlp: v1.5.0 → v1.7.0
go.step.sm/crypto: v0.60.0 → v0.57.0
golang.org/x/crypto: v0.38.0 → v0.40.0
golang.org/x/exp: 2d47ceb → 7e4ce0a
golang.org/x/mod: v0.24.0 → v0.26.0
golang.org/x/net: v0.40.0 → v0.42.0
golang.org/x/oauth2: v0.29.0 → v0.30.0
golang.org/x/sync: v0.14.0 → v0.16.0
golang.org/x/sys: v0.33.0 → v0.34.0
golang.org/x/telemetry: bda5523 → 8d8967a
golang.org/x/term: v0.32.0 → v0.33.0
golang.org/x/text: v0.25.0 → v0.27.0
golang.org/x/time: v0.11.0 → v0.12.0
golang.org/x/tools: v0.31.0 → v0.35.0
golang.org/x/xerrors: 93cc26a → 5ec99f8
google.golang.org/api: v0.228.0 → v0.242.0
google.golang.org/genproto/googleapis/api: a0af3ef → 513f239
google.golang.org/genproto/googleapis/rpc: e70fdf4 → 513f239
google.golang.org/grpc: v1.72.0 → v1.74.2
k8s.io/api: v0.33.0 → v0.34.0-beta.0
k8s.io/apimachinery: v0.33.0 → v0.34.0-beta.0
k8s.io/apiserver: v0.33.0 → v0.34.0-beta.0
k8s.io/client-go: v0.33.0 → v0.34.0-beta.0
k8s.io/component-base: v0.33.0 → v0.34.0-beta.0
k8s.io/cri-api: v0.33.0 → v0.34.0-beta.0
k8s.io/cri-client: v0.33.0 → v0.34.0-beta.0
k8s.io/gengo/v2: a7b603a → 85fd79d
k8s.io/kms: v0.33.0 → v0.34.0-beta.0
k8s.io/kube-openapi: c8a335a → f3f2b99
k8s.io/kubelet: v0.33.0 → v0.34.0-beta.0
k8s.io/utils: 24370be → 4c0f3b2
sigs.k8s.io/json: 9aa6b5e → cfa47c3
sigs.k8s.io/release-sdk: v0.12.2 → befb0e4
sigs.k8s.io/release-utils: v0.11.1 → v0.12.1
sigs.k8s.io/yaml: v1.4.0 → v1.6.0

Removed

cloud.google.com/go/profiler: v0.4.2
cloud.google.com/go/storage: v1.50.0
github.com/14rcole/gopopulate: b175b21
github.com/AdamKorcz/go-fuzz-headers-1: 8b5d3ce
github.com/DATA-DOG/go-sqlmock: v1.5.2
github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric: v0.49.0
github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping: v0.49.0
github.com/alessio/shellescape: v1.4.1
github.com/aws/aws-sdk-go-v2/feature/s3/manager: v1.17.10
github.com/cavaliercoder/badio: ce52801
github.com/cavaliercoder/go-rpm: 8cb9fd9
github.com/cavaliergopher/cpio: v1.0.1
github.com/go-piv/piv-go: v1.11.0
github.com/go-redis/redismock/v9: v9.2.0
github.com/google/go-github/v60: v60.0.0
github.com/google/rpmpack: v0.6.0
github.com/google/trillian: v1.7.1
github.com/google/wire: v0.6.0
github.com/grpc-ecosystem/grpc-gateway: v1.16.0
github.com/howeyc/gopass: c8aef6f
github.com/imdario/mergo: v0.3.16
github.com/jmoiron/sqlx: v1.4.0
github.com/ostreedev/ostree-go: 719684c
github.com/sassoftware/relic/v7: v7.6.2
github.com/xanzy/go-gitlab: v0.109.0
github.com/zalando/go-keyring: v0.2.3
go.etcd.io/etcd/client/v2: v2.305.21
go.etcd.io/etcd/raft/v3: v3.5.21
gocloud.dev: v0.40.0
software.sslmate.com/src/go-pkcs12: v0.4.0